Glossary · EU Cybersecurity Cyber Solidarity Act (EU Cyber Solidarity Act (Regulation 2024/2691))
EU regulation, adopted late 2024, establishing a coordinated cross-Member-State mechanism for detecting, preparing for, and responding to large-scale cybersecurity incidents. Funds the European Cybersecurity Shield, a Cyber Emergency Mechanism, and a Cybersecurity Incident Review Mechanism.
## What the Cyber Solidarity Act actually is
The Cyber Solidarity Act (Regulation EU 2024/2691) is the EU's response to the realisation that cybersecurity capability remains fragmented across Member States, while the cybersecurity threat does not. The regulation was politically agreed in early 2024 as part of the European Cybersecurity Package, alongside amendments to the Cybersecurity Act and a managed-services regulation.
Where [NIS2](/en/glossary/nis2/) imposes obligations on individual entities and the [Cyber Resilience Act](/en/glossary/cyber-resilience-act/) regulates product security, the Cyber Solidarity Act is about *collective EU-level response capability* — the coordination layer above national cybersecurity authorities.
## The three pillars
The Act creates three operational mechanisms, each with its own funding line.
### 1. European Cybersecurity Shield
A federated network of national and cross-border Security Operation Centres (SOCs). The Shield combines:
- **National SOCs** — each Member State designates one or more national SOCs receiving EU co-funding
- **Cross-border SOCs** — groupings of three or more Member States operating a shared SOC platform
- **Threat intelligence sharing** — real-time intelligence flowing through the Shield, supported by AI-based analytics
- **Public-private interface** — controlled private-sector access to Shield data for trusted entities
The Shield's stated aim is to detect cyber threats earlier, share intelligence faster across borders, and create EU-wide situational awareness comparable to what individual large nations have nationally.
### 2. Cyber Emergency Mechanism
The most operationally novel part of the Act. The Mechanism funds:
- **Preparedness actions** — testing essential entities in critical sectors (energy, healthcare, transport, digital infrastructure) for known threats
- **A new EU Cybersecurity Reserve** — trusted private-sector providers on stand-by to respond to significant or large-scale incidents
- **Mutual assistance** — coordinated cross-Member-State response when one country's resources are overwhelmed
- **Financial assistance** to recovering Member States
The Reserve is operationally similar to civil-protection emergency rosters, but for cybersecurity firms with EU-vetted competencies.
### 3. Cybersecurity Incident Review Mechanism
For major incidents, [ENISA](/en/glossary/enisa/) is now empowered to conduct structured post-incident reviews and publish lessons-learned reports. This is conceptually similar to aviation safety incident review — institutional learning treated as a regulatory function.
## Why this is a structural shift
Three reasons the Cyber Solidarity Act matters beyond its specific provisions.
### Cybersecurity becomes federal-level EU competency
Pre-2024, EU cybersecurity policy was primarily about harmonising national obligations. The Cyber Solidarity Act creates *direct EU-level operational capability* — funded out of EU budget, coordinated by ENISA, executed via SOCs and the Reserve. This is closer to how the EU operates on currency or competition policy than how it has previously operated on security.
### Trusted private-sector cybersecurity firms gain regulatory status
The Cybersecurity Reserve creates a vetted roster of private cybersecurity providers. Being on the Reserve confers significant commercial advantage — it is, effectively, a stamp of EU-recognised competence. Vetting criteria include corporate location, ownership transparency, and (importantly) absence of non-EU legal exposure.
### Solidarity becomes mandatory, not voluntary
The "solidarity" in the title is not aspirational. The regulation creates legal duties of mutual assistance during significant incidents. Member States cannot simply refuse to help — though the mechanisms for cost-sharing and operational command are still being worked out in implementing acts.
## Funding
The Cyber Solidarity Act is budgeted under the Digital Europe Programme:
- **~€1.1 billion** for the 2024-2027 implementation period
- Approximately **€400 million for the Shield**, with co-funding of national SOCs
- **€300+ million for the Cyber Emergency Mechanism**
- Remaining budget for incident review, training, and supporting actions
By 2027 these amounts will be reviewed, with broad expectation of significant increase if early operational learnings warrant it.
## Implementation timeline
- **Q4 2024**: Regulation adopted, entry into force
- **Q1-Q2 2025**: ENISA implementing acts (SOC requirements, Reserve criteria, intelligence sharing protocols)
- **2025**: First national SOCs designated and co-funded
- **2025-2026**: First cross-border SOC consortia announced
- **2026**: First Cybersecurity Reserve framework contracts signed
- **2026-2027**: First full operational exercises
As of 2026, the Shield is partially operational. Several cross-border SOC consortia are running — including ones involving France-Germany-Belgium and the Nordic-Baltic cluster.
## What it means in practice
### For European businesses
Most businesses will not interact directly with the Cyber Solidarity Act. The benefits flow through the Shield's improved threat intelligence, which national CSIRTs will distribute. Indirectly, the Reserve creates a high-quality private-sector pool that Member State authorities can mobilise quickly during major incidents.
For cybersecurity vendors, the Reserve is a strategic opportunity. Being on the Reserve roster is significantly valuable. This will become a competitive differentiation pillar for European cybersecurity firms.
### For regulated industries
Sectors covered by NIS2 (essential and important entities) will see enhanced threat intelligence flowing through national CSIRTs. The Shield is designed to make sectoral cyber-incident detection earlier and cross-Member-State coordination faster.
### For US-headquartered cybersecurity firms
The Reserve has explicit EU-jurisdiction requirements. US-headquartered firms generally cannot directly participate, though they may serve as sub-contractors to EU-vetted prime contractors. This is consistent with the broader pattern set by [SecNumCloud](/en/glossary/secnumcloud/) and the contested [EUCS](/en/glossary/eucs/) sovereignty criteria.
### For public-sector buyers
Public-sector procurement of cybersecurity capability is increasingly likely to prefer or require Reserve participation as a qualifying criterion. Several Member States are already drafting national procurement guidance that elevates Reserve membership to mandatory or near-mandatory status.
## Cyber Solidarity Act vs NIS2 vs CRA
| Aspect | Cyber Solidarity Act | NIS2 | Cyber Resilience Act |
|--------|----------------------|------|----------------------|
| Subject | EU-level response | Entity-level obligations | Product-level requirements |
| Funded EU action? | Yes (€1.1B) | No | No |
| Cross-border mechanism? | Core feature | Coordination only | Single market mechanism |
| Private-sector roster? | Yes (Reserve) | No | No |
| Operationalises ENISA? | Significantly | Modestly | Modestly |
| Effective from | 2024-onward | 2024 (national transposition) | 2027 full applicability |
The three regulations together form the post-2024 EU cybersecurity architecture: products (CRA), entities (NIS2), collective response (Cyber Solidarity Act).
## Practical implications
- **For most European businesses**: background regulation that improves threat intelligence available to your national CSIRT
- **For European cybersecurity vendors**: Reserve membership is a strategic opportunity worth pursuing aggressively
- **For US-headquartered cybersecurity firms**: structural barrier to direct EU public-sector engagement, mitigated only by EU JV models
- **For public-sector buyers**: Reserve membership becoming a meaningful procurement signal
Was this helpful?
Thanks for your feedback!